Virus:TR/Spy.ZBot.9164.1
Date discovered:15/10/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:91.648 Bytes
MD5 checksum:642ff076c8bc5b3be5b9e853337d1820
IVDF version:7.01.06.111 - Thursday, October 15, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Infostealer.Banker.C
   •  Kaspersky: Trojan-Spy.Win32.Zbot.gen
   •  F-Secure: Trojan-Spy.Win32.Zbot.gen
   •  Sophos: Mal/Zbot-R
   •  Grisoft: Win32/Cryptor


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\sdra64.exe



The following files are created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\user.ds
   • %SYSDIR%\user.ds.dll
   • %SYSDIR%\local.ds




It tries to download a file:

– The location is the following:
   • http://195.93.208.106/**********/ip1.gif
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
   • "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\sdra64.exe,"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
   • A new settings file for the %receiver's email address%



Body:
The body of the email is the following:

   • Dear user of the %recipient's domain% mailing service!
     
     We are informing you that because of the security upgrade of the mailing service your mailbox (%receiver's email address%) settings were changed. In order to apply the new set of settings click on the following link:
     
     http://**********.nerrasssp.co.uk/owa/service_directory/settings.php**********
     
     Best regards, %recipient's domain% Technical Support.
     



The email looks like the following:


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own file


Method used:
    • Hidden from Windows API
    • Hook the Import Address Table (IAT)

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Thursday, October 15, 2009
Description updated by Thomas Wegele on Thursday, October 15, 2009

Back . . . .